Send generic responses from the api to the client or be more specific in the response?
Example: User Credentials Validation
the field
password sent it from the client doesn't match the password stored in the DB. Should i send a generic message in the response? like Invalid Credentials or i can be more specific like field 'password' is invalid.
Same idea to others validations errors too... should i specifically tell the browser what was wrong with the request?
Is there a convention in this situation? I mean... i can be specific about validation errors, others types of errors i should be more generic for security reasons.7 Replies
Are you using these responses for a user facing message or something internal for you to manage?
if user facing, then I think something more generic like
Invalid Credentials is just finethe browser will be receiving the responses
got it
user facing => what it will show in the interface
internal => intercepting the API response and modifying it for the interface
both go to the browser, just one is "do i modify the response" or "just give the unfiltered response
ooh
so yeah, it'll be something internal
Now I would recommend for something like registration, that you would specify the field that is wrong like if it doesn't pass rules that you've defined, but for a login, just something generic is easier
I've seen some error messages like
That user wasn't found but to me that is different than saying "you didn't type something correctly," so just saying the credentials are invalid or similar feels the most accurate without accidentally giving db fields outgot that
thank you andrew
oh i created this question in the frontend field... my bad
backend would've been more appropriate
i mean teeeeechnically its a frontend problem 😉